stackoom
  简体   繁体   中英

Read Flask variable from Javascript

 原文  2020-03-01 11:39:43       javascript/ flask/ xss

Question

I am doing a CTF challenge, but my question is not about how to solve it, rather the syntax. The challenge is to read the secret key in Flask server's configuration. It is stored in the app.secret_key variable and I want to alert it on the screen by XSS.

Question: how can I access that variable in Flask code from javascript and put it in <script>alert(variable)</script> snippet?

I tried <script type="text/javascript">let v="{{=app.secret_key}}"; alert(v); </script> <script type="text/javascript">let v="{{=app.secret_key}}"; alert(v); </script> <script type="text/javascript">let v="{{=app.secret_key}}"; alert(v); </script> but it gave Internal Server Error.

1 answers

solution1
 0  2020-03-01 13:23:13

First, it must be said, in general you should should absolutely not do this . app.secret_key should never, ever be exposed publicly and should be regarded as a closely guarded secret. Hence the name. But since you're doing this for presumably good reasons involving your game, let's continue.

Probably the simplest way to expose Python variables to JavaScript is directly in the template by dumping JSON. Consider this code:

import json

from flask import Flask, render_template

app = Flask(__name__)
app.secret_key = 'THIS IS SECRET'


@app.route('/')
def hello_world():
    server_vars = {
        'secretKey': app.secret_key,
        'favoriteFoods': ['Eggs', 'Spam']
    }

    return render_template(
        'hello.html',
        server_vars=json.dumps(server_vars)
    )


if __name__ == '__main__':
    app.run()

We're rendering the template hello.html and sending it a template variable, server_vars , which is a rendered JSON string of the same server-side variable, which is a dictionary. This enables us to send any number arbitrary JSON-compatible variables to JavaScript. See hello.html :

<!doctype html>
<html lang="en">
<head>
  <title>Document</title>
</head>
<body>
<script>
  window.serverVars = {{ server_vars | safe }};
  alert(window.serverVars.secretKey)
  console.log('btw, my favorite foods are', window.serverVars.favoriteFoods)
</script>
</body>
</html>

Notice that in addition to sending secretKey, we actually sent a Python list, which was converted into an array in JavaScript.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Read a variable name in Javascript from Flask How can I read flask session variable from Javascript? passing variable from flask to javascript [flask] Send variable from JavaScript into Flask Passing variable to Flask from Javascript and then loading template Pass a flask variable from javascript to html how to pass a variable from flask to javascript function? How to pass a variable from Javascript to Flask Is there a way to trigger a JavaScript function from flask or pass {{variable}} into javascript? Pass Flask variable into Javascript
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM